I have been fighting this for a few days now without any luck. I started with the syslog forwarding from my SEPM. The data is getting to my Splunk server, so part one is functioning, however, the Symantec app tells me there are no results. As a test, I then moved to the universal forwarder, having it installed on the SEPM and dumping the logs to a local file. This also makes it so the data gets into my Splunk server, but again, no data can be searched.
I am currently just testing to see what benefit splunk adds, but unfortunately I am not able to review any of the data because either the app is broken, or the data is not being indexed correctly to get displayed. Any help is appreciated. I have looked through a number of other threads, but they all seem pretty vague and do not solve my issue.
thanks
↧